Samaritan Hospital confirms breach of patient records in late 2011

TROY -- An official at Samaritan Hospital confirmed a nursing supervisor at the Rensselaer County jail improperly accessed the hospital's patient records, triggering an investigation by Sheriff Jack Mahar.

Elmer Streeter, director of communications at St. Peter's Health Partners, the corporate parent of Samaritan, said the hospital was notified of the breach in November 2011.

"We received an inquiry that suggested that protected health information contained in electronic medical records that related to a patient at Samaritan Hospital may have been improperly accessed by a supervisory nursing staff member employed at the Rensselaer County Jail," he said.

Advertisement

Samaritan officials conducted an internal investigation after receiving the notification.

"We determined that there had been improper access on a particular account," Streeter said.

The hospital notified the sheriff about the breach and disabled the access of the individual whom they believed improperly accessing the information.

Streeter said the hospital's next step would have been to follow federal guidelines and notify patients whose records were improperly accessed. But a sheriff's investigation into the matter prevented them from doing so.

"The sheriff asked the hospital not to notify these persons," Streeter said.

"We're required to do that by federal regulations; if a law enforcement agency asks to delay notification so as not to impede an investigation of a potentially criminal nature, we have to comply."

At this point, some 14 months later, the sheriff's office has authorized Samaritan Hospital to notify the patients. Streeter said letters were being sent this week.

Asked the identity of the employee who committed the breach and why, Yvonne Keefe, a spokeswoman for Mahar, said: "The sheriff's office is investigating a complaint filed by Samaritan Hospital regarding medical records. This office has no comment on internal investigations or personnel matters."

Because Samaritan Hospital provides treatment for inmates, the jail's nursing staff has access to Samaritan's electronic medical records for the purposes of coordinating care.

Streeter said persons granted access sign an agreement stating they would only access records for patients to whom they are providing care.

"The issue here is that some individuals used poor judgment and did not follow applicable privacy laws and standards of ethical conduct," Streeter said.

It was unclear what penalties apply to breaches of the Health Insurance Portability and Accountability Act regulations.

According to the Office for Civil Rights, charged with enforcing HIPPA regulations nationwide, a breach is defined as "an impermissible use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational or other harm to the affected individual."

After a notification of a breach is received by the Office of Civil Rights, the complaint is reviewed internally. Depending on a number of factors, the breach complaint can be referred to the U.S. Department of Justice for a criminal investigation.

Streeter said Samaritan did not notify the Office of Civil Rights of the breach, citing advice from their legal department.

Penalties could range from formal findings of fact to criminal prosecution.